b'                         U.S. Department of Agriculture\n\n                            Office of Inspector General\n                             Financial & IT Operations\n\n\n\n\n               Audit Report\n\nStatement on Auditing Standards No. 70, Report\non the National Information Technology Center\n  General Controls Review \xe2\x80\x93 Fiscal Year 2008\n\n\n\n\n                               Report No. 88501-12-FM\n                                      September 2008\n\x0c                        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\nSeptember 19, 2008\n\n\n\nREPLY TO\nATTN OF:       88501-12-FM\n\nTO:            Charles R. Christopherson, Jr.\n               Chief Information Officer\n               Office of the Chief Information Officer\n\nTHROUGH: Sherry Linkins\n         Office of the Chief Information Officer\n         Information Resources Management\n\nFROM:          Robert W. Young             /s/ Tracy LaPoint (for)\n               Assistant Inspector General\n                for Audit\n\nSUBJECT:       Statement on Auditing Standards No. 70, Report on the National Information\n               Technology Center General Controls Review - Fiscal Year 2008\n\n\nThis report presents the results of our audit of the internal control structure at the Office of the\nChief Information Officer/National Information Technology Center as of June 30, 2008. The\naudit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States including American Institute of Certified Public\nAccountants Professional Standards commonly referred to as a Statement on Auditing Standards\n70 audit. The report contains an unqualified opinion on the internal control structure and\ncontains no recommendations.\n\nIf you have any questions, please call me at (202) 720-6945, or have a member of your staff\ncontact Jane Bannon, Director, Administration and Finance Division, at (202) 720-1918.\n.\n\x0cExecutive Summary\nStatement on Auditing Standards No. 70, Report on the National Information\nTechnology Center General Controls Review - Fiscal Year 2008 (Audit Report No.\n88501-12-FM)\n\nResults in Brief   This report presents the results of our audit of the Office of the Chief\n                   Information Officer/National Information Technology Center\xe2\x80\x99s\n                   (OCIO/NITC) internal control structure as of June 30, 2008. Our review\n                   was conducted in accordance with Government Auditing Standards issued\n                   by the Comptroller General of the United States including American\n                   Institute of Certified Public Accountants Professional Standards as\n                   amended by applicable statements on auditing standards. Our report\n                   contains an unqualified opinion on the center\xe2\x80\x99s internal control structure.\n                   Our objectives were to perform procedures necessary to express opinions\n                   about whether (1) OCIO/NITC\xe2\x80\x99s description of controls in exhibit A\n                   presents fairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s\n                   controls that may be relevant to a customer agency\xe2\x80\x99s internal control as it\n                   relates to an audit of financial statements; (2) the controls included and/or\n                   referenced were placed in operation and suitably designed to achieve the\n                   control objectives specified in the description, if those controls were\n                   complied with satisfactorily, and customer agencies applied the controls\n                   contemplated in the design of OCIO/NITC\xe2\x80\x99s controls; and (3) the controls\n                   we tested were operating with sufficient effectiveness to provide\n                   reasonable, but not absolute, assurance that the control objectives\n                   specified were achieved during the period from July 1, 2007, through\n                   June 30, 2008.\n                   Our audit disclosed that the control objectives and techniques identified in\n                   exhibit A presented fairly, in all material respects, the relevant aspects of\n                   OCIO/NITC\xe2\x80\x99s control environment taken as a whole. Also, in our\n                   opinion, the policies and procedures, as described, were suitably designed\n                   to provide reasonable assurance that the control objectives would be\n                   achieved and were operating effectively.\nRecommendation\nIn Brief           We do not make any recommendations in this report.\n\n\n\n\nUSDA/OIG-A/88501-12-FM                                                                   Page i\n\x0cAbbreviations Used in This Report\n\n\n\nC&A            certification and accreditation\nCMITS          Configuration Management Information Tracking System\nDAA            designated approving authority\nID             identification\nIS             information system\nIT             information technology\nNIST           National Institute of Standards and Technology\nOCIO           Office of the Chief Information Officer\nNITC           National Information Technology Center\nOIG            Office of Inspector General\nPIA            Privacy Impact Assessments\nPOA&M          plan of action & milestones\nRA             risk assessments\nSSP            System Security Plan\nST&E           Security Test and Evaluation\nUSDA           U.S. Department of Agriculture\n\n\n\n\nUSDA/OIG-A/88501-12-FM                                                Page ii\n\x0c\x0c                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                   OFFICE OF INSPECTOR GENERAL\n\n                                        Washington D.C. 20250\n\n\n\n\nReport of the Office of Inspector General\nTo:    Charles R. Christopherson, Jr.\n       Chief Information Officer\n       Office of the Chief Information Officer\n\nWe have examined the controls identified or referenced in exhibit A for the U.S. Department of\nAgriculture\xe2\x80\x99s (USDA) Office of the Chief Information Officer/National Information Technology\nCenter (OCIO/NITC). Our examination included procedures to obtain reasonable assurance\nabout whether (1) the accompanying description of controls of the USDA\xe2\x80\x99s OCIO/NITC presents\nfairly, in all material respects, the aspects of OCIO/NITC\xe2\x80\x99s controls that may be relevant to a\ncustomer agency\xe2\x80\x99s internal control as it relates to an audit of financial statements; (2) the\ncontrols included or referenced in the description had been placed in operation as of June 30,\n2008; and (3) such controls were suitably designed to achieve the specified control objectives if\nthose controls were complied with satisfactorily, and customer agencies applied the controls\ncontemplated in the design of OCIO/NITC\xe2\x80\x99s controls. The control objectives were specified by\nOCIO/NITC.\n\nOur audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States and the standards issued by the American Institute of\nCertified Public Accountants. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nIn our opinion, OCIO/NITC\xe2\x80\x99s description of controls in exhibit A of this report presents fairly, in\nall material respects, the relevant aspects of OCIO/NITC that had been placed in operation as of\nJune 30, 2008. Also, in our opinion, the controls included or referenced in exhibit A were\nsuitably designed to provide reasonable assurance that the specified control objectives would be\nachieved if the described controls were complied with satisfactorily and customer agencies\napplied the controls contemplated in the design of OCIO/NITC\xe2\x80\x99s controls.\n\nIn addition, we performed tests to obtain evidence regarding the effectiveness of specific controls\nin meeting the control objectives included in exhibit A during the period from July 1, 2007,\nthrough June 30, 2008. The specific controls and the nature, timing, extent, and results of our\ntests are identified in exhibit B. This information will be provided to customer agencies and\ntheir auditors to be taken into consideration, along with information about the internal control at\ncustomer agencies, when making assessments of control risk for customer agencies.\n\n\nUSDA/OIG-A/88501-12-FM                                                                      Page 1\n\x0cIn our opinion, the controls that were tested were operating with sufficient effectiveness to\nprovide reasonable, but not absolute, assurance that the control objectives specified in exhibit A\nwere achieved during the period from July 1, 2007, through June 30, 2008.\n\nThe relative effectiveness and significance of specific controls at OCIO/NITC and their effect on\nassessments of control risk at user organizations are dependent on their interaction with the\ncontrols and other factors present at individual customer organizations. We have performed no\nprocedures to evaluate the effectiveness of controls at individual customer agencies as part of\nthis audit.\n\nThe description of controls at OCIO/NITC is as of June 30, 2008, and information about tests of\nthe operating effectiveness of specific controls covers the period from July 1, 2007, through\nJune 30, 2008. Any projections of such information to the future are subject to the risk that,\nbecause of change, they may no longer portray the controls in existence. The potential\neffectiveness of specific controls at OCIO/NITC is subject to inherent limitations and,\naccordingly, errors or fraud may occur and not be detected. The projection of any conclusions,\nbased on our findings, to future periods is subject to the risk that (1) changes made to the system\nor controls, (2) changes in processing requirements, or (3) changes required because of the\npassage of time may alter the validity of such conclusions. Furthermore, the accuracy and\nreliability of data processed by OCIO/NITC and the resultant report ultimately rests with the\ncustomer agency and any compensating controls implemented by such agency.\n\nThis report is intended solely for the management of OCIO/NITC, its users, and their auditors.\n\n\n/s/ Tracy LaPoint (for)\n\nRobert W. Young\nAssistant Inspector General\n for Audit\n\nSeptember 19, 2008\n\n\n\n\nUSDA/OIG-A/88501-12-FM                                                                      Page 2\n\x0c The subsequent sections of the report, Exhibit A (pages 3\n through 42) and Exhibit B (pages 43 through 60), are not\nbeing publicly released due to the sensitive security content.\n\x0c'